When the first set of general corporate compliance program standards – the Federal Sentencing Guidelines for Organizations – was issued in 1991, there was no mention of risk assessment. More recent standards, however – including the “Evaluation of Corporate Compliance Programs” issued by the U.S. Justice Department Criminal Division earlier this month – have placed risk assessment front and center in the government’s expectations concerning effective compliance and ethics programs.
This latest guidance will likely give compliance and ethics professionals momentum for conducting (as the case may be) foundational or follow-on risk assessments for their respective organizations. But will they use the opportunity to full advantage?
Assessing ethics risks. While many companies claim that their compliance and ethics program addresses ethics as well as compliance issues, often that latter is largely a matter of window dressing. By including true ethics questions in this aspect of a risk assessment, one can help ensure that the program’s ethics components are as robust as the compliance ones.
What are ethics-related risks? One might start with questions addressed to fairness, truthfulness, or transparency in the organization. Also, one should use any of the company’s core values that are ethics-related.
Setting program boundaries. One of the opportunities offered by risk assessment is the chance to set meaningful “boundaries” for the remit of the chief ethics and compliance officer. That is, a compliance program needs to specify what areas she is primarily responsible for (e.g., in most companies this will include conflicts of interest) and what her areas of secondary responsibility are (e.g., in some companies this would include insider training or workplace safety).
Of course, companies do not necessarily have to resolve these questions in the context of conducting a risk assessment. But given that such issues tend to involve disputes about corporate “turf,” doing so as part of a larger process might be helpful, particularly as it would be risk-based.
Using behavioral ethics approaches. There are several ways that behavioral compliance and ethics can enhance risk assessment.
- One is helping those involved in the assessment have a better understanding of behavioral risks — meaning an understanding based on behavioral science. For instance, being under time pressure enhances the risk of wrongdoing, which should be included in the assessment.
- A second is based on behavioral science research that shows that individuals tend to optimistically predict their own future moral conduct but accurately predict the less moral future behavior of others, This suggests that a more efficacious way of posing risk assessment inquiries is to ask about others rather than directly about the interviewee.
- The third area of behavioral ethics that should be reflected in a risk assessment concerns the “just-in-time” approach to training and investigations. That is, for each area of risk, the assessment should determine whether there is a basis for just-in-time training/communications, and if so, what such training should consist of. (E.g., if salespeople are scheduled to attend a trade show, one should consider delivering confidential information training/communications right before the show.)
Note that behavioral ethics has implications beyond risk assessment. But risk assessment can be seen as a “delivery device” for introducing behavioral ethics ideas and information to the compliance and ethics program as a whole.
Including the C-Suite in the assessment. Executives generally create more risks than do lower-level employees. This should be – but often is not– reflected in the design and implementation of the risk assessment.
For instance, a risk assessment might seek to determine what contacts the CEO had with her counterpart at a competitor organization. It might also pose questions about Reg FD and insider trading compliance.
Make the most of the interviews. A good risk assessment interview not only provides information to the assessor; it also educates interviewees by asking them questions that require them to think about how the program applies to them.
Ideally, this would entail some preparation on the interviewees’ part, though in many companies, there would be resistance to this. Still, at least in my experience,
interviewees generally want to show that they understand their business and – if properly harnessed – this can be another driver for effective risk assessment.